Germany Wants to Require Companies to Report Cyber Incidents

As the House considers cybersecurity legislation this week, it’s illuminating to compare how the United States proposes to protect critical infrastructure vis a vis other Western powers.

The approach in Germany– a country with which the US has deep and abiding mutual interests in the military and intelligence community–is to protect cyberspace through direct regulation of companies that provide Internet and communications services. This is a broader and more direct approach than what the US is considering. According to a new proposal from Germany’s Minister of the Interior, the following would be “required to meet minimum IT security standards”:

“Operators of critical infrastructure;”

“telecom providers;”

“telemedia services.”

In addition, all those companies must “report significant IT security incidents” to Germany’s Federal Office for Information Security. The providers must also make “easy-to-use security tools” available to their customers. And the telemedia companies would be “obligated to implement recognized protective measures to improve IT security to a reasonable degree.”

There’s a lot in this document that isn’t defined. What does the German government consider a “critical infrastructure?” What qualifies as “easy-to-use”? Who are “telemedia services” companies? (Presumably companies like YouTube or Netflix, but it’s not clear to me how Germany would go about regulating non-German companies in this context.)

The document is just a proposal. But as Paul Rosenzweig at Lawfare (who helpfully posted the English translation) points out, “In Germany, more so than in the US, government proposals come from the executive and are likely to be adopted by the parliament.”

When you compare this German proposal to an earlier set of proposed rules by the European Union, which also would require companies–such as banks and Internet providers–to report security incidents, you start to see a common picture emerging. The European approach to getting a handle on cyber threats is to require companies to cooperate with the government, which presumes some overall responsibility for the security of networks in the national interest.

This broad of an approach hasn’t flown in the United States, though there have arguably been versions of it in specific sectors. The Defense Industrial Base, for instance. It’s important to keep that in mind as Congress moves forward with cyber legislation. The US approach may end up looking something like the German one, but in individual sectors that the government deems need the most protection. This wouldn’t look like a broad regulatory regime, but maybe a set of sticks and carrots applied to, say, energy companies that effectively force them to beef up their security to a standard that the government accepts. I’ve heard from some energy company executives who say they’re already required to do this–through their current regulators.